James Comey's New Idea: An International Encryption Backdoor Partnership

from the let's-all-share-the-pain-equally dept

FBI Director James Comey is still pitching encryption backdoors, despite there being almost no one -- from the Intelligence Community to legislators around the world -- interested in what he's selling. Comey claims to be sitting on a pile of encrypted devices the FBI can't get into, even with help from outside contractors.

His latest backdoor idea was floated at a national security symposium at the University of Texas. Knowing any legislated backdoors might result in US device customers turning to overseas suppliers, Comey thinks he can minimize domestic fiscal damage by getting the rest of the world to fall in line with an idea most foreign governments still find unpalatable, even as they suffer terrorist attacks with a far greater frequency than we do at home. Michael Kan has more details at ComputerWorld:

Speaking on Thursday, Comey suggested that the U.S. might work with other countries on a “framework” for creating legal access to encrypted tech devices.

“I could imagine a community of nations committed to the rule of law developing a set of norms, a framework, for when government access is appropriate,” he said on Thursday.

Comey doesn't say how he plans to set this in motion. He's had no luck on the domestic front, so hoping for an "international framework" to spring into existence is, at best, inordinately hopeful. He directly addressed one of the many concerns device makers have about encryption backdoors, stating he had no desire to "chase innovation" out of the US. But that doesn't mean he's not interested in harming US innovation. He simply believes every country in the partnership should suffer equally.

As always happens when Comey opens his mouth about encryption, plenty of experts in the field are on hand to criticize his comments.

“I don’t think it makes sense,” said Nicholas Weaver, a researcher at the International Computer Science Institute at the University of California Berkeley.

Comey’s idea means that all countries will essentially agree to weaken the security in their vendors’ tech products, Weaver said. However, other countries will balk, fearing that the U.S. might exploit the cooperation for spying purposes.

“Would you still use a U.S. product, even if you know the NSA (National Security Agency) could have the rights to it?” he said.

Most of our allies around the world are still stinging a bit from multiple national security leaks -- some of which have exposed nearly as much intrusiveness of their own security agencies as they have about the NSA's reach and grasp. With the NSA heavily-involved in diverting hardware shipments to implant backdoors, no one's in any hurry to add their country to the list of "buyer beware" electronics.

Even if most of Europe agrees to weaken encryption to make law enforcement easier, there's no preventing non-partner countries from taking advantage of security holes to engage in greater domestic spying and civil rights abuses.

And, as is always the case when Comey opens his mouth about encryption, it's again suggested the nerds of the world are simply not applying themselves when it comes to "safe" backdoors.

[O]n Thursday, Comey said the tech industry can find an approach that creates government access, while keeping malicious actors out.

“It’s childish to stomp your foot, and say, ‘nerds you have to try harder,’” Cardozo said.

That's Comey all over: insisting he's right despite nearly no one else in the world agreeing with him. The phones he can't get into are apparently viewed as a personal insult -- a middle finger from device makers to the feds. He claims device makers shouldn't "decide how [their customers] live" by providing default encryption. He feels it should be left up to customers whether or not they want that level of security.

He makes this claim while pitching backdoors that remove that choice, allowing the FBI to tell Americans how to live: less securely, because criminals and terrorism. Again, classic Comey -- who handles every discussion of encryption like a child. He's not guileless, not by far. But he so deeply believes in the inherent "rightness" of his arguments that he's unable to see their inconsistency and incoherence. Or worse, he does... but just doesn't care.

Reader Comments

Re: Re: Re: Re: What if the encryption key is spread across several legal jurisdictions?

I was addressing the specific question (above) of needing to rekey every device on the planet every time the master key was used, using an example based on a system I use on a regular basis.

It wasn't a dissertation on how to design a system for Comey.

And to address your point "the key being passed around": from a purely technically perspective, that could be addressed, too. It increases cost, and makes the system more burdensome to use, but at the end of the day you'd only reduce exposure in some areas and increase it in others.

Any individual technical question could likely be addressed with technology we have today, at least at small scale.

But when you combine the necessary technologies and scale to global proportions, the loss expectancies, risk, and threat profiles get really ugly, really fast.